Musings from the Penguin...

Wednesday Jan 30, 2013

Oracle Linux provides two complimentary technologies for patching and updating the operating system.

yum for updating RPM packages. Applications and libraries are packaged and distributed in the form of RPM packages, which are collected in yum repositories. Updates are installed by downloading the packages from the yum repository and installing them locally using the RPM package manager.

It's probably worth repeating that Oracle also provides updates (errata) for free from our public-yum server - you can keep your system up to date and fully patched against security threats without the need of purchasing a support subscription. This makes Oracle Linux and ideal choice to install on both your development and production systems - it is up to you to individually choose which of these systems you want to have covered by a support subscription and at which level.

We also provide updates to the Linux operating system kernel in RPM format. However, these changes only take effect after the system has been rebooted, which can be quite disruptive in certain environments. Scheduling downtime for a reboot is never easy.

This is where Ksplice enters the picture. It is a technology that allows you to apply critical fixes to the Linux kernel at run time, without the need to reboot your system. This is a feature that is unique to Oracle Linux. The system connects to the Ksplice server to obtain the individual rebootless patches, split up by security issues (which are usually tracked by CVE numbers). You can install all of the patches in one go, or choose to install only selected patches, without any service interruption or downtime. Ksplice patches can also be removed at run-time, in case they show any any unwanted or unexpected side-effects.

Both yum and ksplice require downloading patches from a remote server, so the client system needs to be able to connect to a remote server. In many cases, connecting to an update server located on the public Internet directly is not an option, due to security policies.

In the case of yum, it's possible to create a local copy of a repository and simply point all clients to obtain their patches from there instead. There are several ways to create and manage such local repositories, and Oracle Enterprise Manager 12c Cloud Control and Ops Center both provide built-in functionality to support this. We also published a script on OTN that automates the task of downloading RPM packages from the Unbreakable Linux Network.

For Ksplice, it was already possible to set up a local server that would act as a caching proxy server for all available patches - the client systems would only have to connect to this server instead of contacting the remote Ksplice server over the Internet directly. However, this solution requires setting up a dedicated system just for this particular task, so many customers were not too happy about this solution.

The Ksplice team at Oracle now came up with an alternative solution - instead of providing the Ksplice patches as individual downloadable items, they are bundled inside an RPM package, one for each Linux kernel version we support. Any time a new ksplice patch is available, the respective RPM package will be refreshed. This way we can now deliver Ksplice patches via yum repositories, which is a well-established transport mechanism and can utilize already existing infrastructure. The process involves two steps: first you download the ksplice patch RPM using yum, then you run the local ksplice client, which has been modified to check for updates on the local file system instead of contacting the remote server. Even though you are using RPM to download the Ksplice patch bundle RPM, you still use the local ksplice client to apply the individual patches at run time.

This new Ksplice offline mode gives you the best of both worlds: being able to patch your Linux kernel at run-time without disrupting any services, while not requiring you to manage any additional infrastructure or services, or having to negotiate any exceptions to your firewall rules in order to allow your systems to contact the remote Ksplice server.

For more information about the Ksplice offline mode, please see Wim's blog post or check out the following video, which outlines the basic principles of how to apply updates to your Oracle Linux system: